I just migrated all my warm buckets over to our new Splunk server (CentOS) from Windows. I have quite a few custom field extractions that I'd like to migrate over as well. How do I do that?
All custom configurations are stored in "local" subfolders in the $SPLUNK_HOME/etc directory. You can simply copy over the relevant custom configuration files from the older server. Be sure you do not copy over the $SPLUNK_HOME/etc/system/local/server.conf or $SPLUNK_HOME/etc/system/local/inputs.conf wholesale (you might have to do so directly), as those contain the specific server names. Other configurations you may have to make determinations based on differences between servers.
Thanks! I looked in the suggested location, and I see these files:
README authentication.conf inputs.conf server.conf web.conf alert_actions.conf eventtypes.conf migration.conf tenants.conf
None of them have the field extractions I'm looking for though. 😞 Where else might they be stored?
You will have to check all your apps folders, not just the "system" folder which was noted as an example. You should look through all folders that match the pattern
$SPLUNK_HOME/etc/apps/*/local/*.conf Although, most likely, your customization will be in the "search" app.
Perfect! Found what I was looking for at $SPLUNK_HOME/etc/apps/search/local/props.conf. I copied it over to the same location on the new server and restarted splunk, and I see all my field extractions! Woohoo! You saved me! Thanks gkanapathy!